US10142297B2 - Secure communication method and apparatus - Google Patents

Secure communication method and apparatus Download PDF

Info

Publication number
US10142297B2
US10142297B2 US15/146,814 US201615146814A US10142297B2 US 10142297 B2 US10142297 B2 US 10142297B2 US 201615146814 A US201615146814 A US 201615146814A US 10142297 B2 US10142297 B2 US 10142297B2
Authority
US
United States
Prior art keywords
client
key
proxy device
token
security proxy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US15/146,814
Other languages
English (en)
Other versions
US20160337321A1 (en
Inventor
Yumin Lin
Hongyong XIAO
Lin Zheng
Ming Xu
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
River Security Inc
Original Assignee
River Security Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by River Security Inc filed Critical River Security Inc
Assigned to RIVER SECURITY INC. reassignment RIVER SECURITY INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: LIN, YuMin, XIAO, Hongyong, XU, MING, ZHENG, LIN
Publication of US20160337321A1 publication Critical patent/US20160337321A1/en
Application granted granted Critical
Publication of US10142297B2 publication Critical patent/US10142297B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/76Proxy, i.e. using intermediary entity to perform cryptographic operations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies

Definitions

  • the present invention relates to the technical field of data security, and particularly to a secure communication method and apparatus.
  • the security issues mainly involve automated leakage of communication data, illegal Man-in-the-Middle Attack to the server, an illegal client's access to the server, and the like.
  • the present invention provides a secure communication method and apparatus to assist in improving security of communication between the client and the server.
  • the present invention provides a secure communication method which is executed by a security proxy device between a client and a server, the method comprising:
  • the server upon receiving a request sent by the client to the server, validating whether the token sent together with the request is a token assigned for the client; if the validation succeeds, forwarding to the server a request obtained by using the connection key or a token connection key to decrypt the request, wherein the token connection key is assigned for the client and then sent to the client by using the connection key;
  • connection key or token connection key after receiving a response returned by the server, using the connection key or token connection key to encrypt the response, and forwarding the encrypted response to the client.
  • the identity authentication for the client is performed during the connection key agreement
  • the token is assigned for the client after the connection key agreement.
  • the using a key exchange mechanism to perform connection key agreement with the client comprises:
  • a key agreement protection key to decrypt data sent by the client and containing a Client-ID, wherein the key agreement protection key is configured in advance in the client and the security proxy device;
  • the using the server validation key to encrypt data containing a security proxy device ID comprises:
  • the identity authentication for the client comprises:
  • the authenticating the Client-ID comprises:
  • the Client-ID is in a preset blacklist: if no, the client passes the identity authentication; if yes, the client fails to pass the validation; or
  • judging whether the Client-ID is in a preset whitelist if yes, the client passes the identity authentication; if no, the client fails to pass the identity authentication.
  • the obtaining the Client Environment Information comprises:
  • the Client Environment Information comprises at least one of a client device ID, a client application signature and a client environment parameter.
  • the obtaining the client signature information comprises:
  • Client-ID and the security proxy device ID to generate a client validation key
  • client validation key to decrypt the client signature information sent by the client.
  • the assigning the token for the client comprises:
  • a token key to encrypt data containing the connection key and a random parameter or encrypt data containing the toke connection key and the random parameter to obtain the token assigned for the client, the token key being preset in the security proxy device or dynamically generated by the security proxy device.
  • connection serial number being generated by the security proxy device
  • the method further comprises:
  • the present invention further provides a secure communication method.
  • the method is applied to a system comprising a client, a security proxy device and a server.
  • the method comprises:
  • the client using a key exchange mechanism to perform connection key agreement with the security proxy device, and obtaining a token assigned by the security proxy device to the client after identity authentication for the client succeeds;
  • connection key or a token connection key to encrypt the request sent to the server, and sending the encrypted request together with the token to the security proxy device
  • token connection key is assigned by the security proxy device to the client and then encrypted using the connection key and then sent to the client.
  • the client using a key exchange mechanism to perform connection key agreement with the security proxy device comprises:
  • the key agreement protection key is configured in advance in the client and the security proxy device
  • server validation key to decrypt data sent by the security proxy device and containing a security proxy device ID, the server validation key being generated by using the Client-ID;
  • the data containing a security proxy device ID comprises:
  • a security proxy device certificate and a signature obtained by signing the security proxy device ID and the Client-ID by using a root certificate private key of the security proxy device.
  • the method further comprises:
  • the client sending at least one of the Client-ID, client environment information and client signature information to the security proxy device so that the security proxy device performs identity authentication for the client.
  • the client sending the client environment information to the security proxy device comprises:
  • the environment information comprises at least one of Client Device ID, Client Application Signature and Client Environment Parameter.
  • the client sending the client signature information to the security proxy device comprises:
  • Client-ID and the security proxy device ID to generate the client validation key
  • client validation key to encrypt the client signature information
  • connection serial number encrypted by using the connection key, and using the connection key to decrypt the obtained connection serial number
  • connection serial number upon decrypting the response, further decrypting to obtain the connection serial number, validating whether the connection serial number is correct, and discarding the response if the connection serial number is not correct.
  • the present invention further provides a secure communication apparatus in a security proxy device between a client and a server, the apparatus comprising:
  • a key agreement unit for using a key exchange mechanism to perform connection key agreement with the client
  • an identity authenticating unit for performing identity authentication for the client
  • a token assigning unit for assigning a token for the client after the identity authentication for the client succeeds
  • a request processing unit for, after receiving the request sent by the client to the server, validating whether the token sent together with the request is a token assigned for the client; if the validation succeeds, forwarding to the server a request obtained by using the connection key or token connection key to decrypt the request, wherein the token connection key is assigned by the token assigning unit to the client and then encrypted using the connection key and then sent to the client;
  • a response processing unit for, after receiving a response returned by the server, using the connection key or token connection key to encrypt the response, and forwarding the encrypted response to the client.
  • the identity authenticating unit performs identity authentication for the client during the connection key agreement
  • the token assigning unit assigns a token to the client after the connection key agreement.
  • the key agreement unit specifically performs the following:
  • a key agreement protection key to decrypt data sent by the client and containing a Client-ID, wherein the key agreement protection key is configured in advance in the client and the security proxy device;
  • the key agreement unit upon using the server validation key to encrypt data containing a security proxy device ID, the key agreement unit specifically performs the following:
  • the identity authenticating unit is specifically configured to:
  • the identity authenticating unit upon performing authentication for the Client-ID, is specifically configured to:
  • the identity authenticating unit upon obtaining the Client Environment Information, is specifically configured to:
  • the Client Environment Information comprises at least one of a client device ID, a client application signature and a client environment parameter.
  • the identity authenticating unit upon obtaining the client signature information, is specifically configured to:
  • Client-ID and the security proxy device ID use the Client-ID and the security proxy device ID to generate a client validation key, and use the client validation key to decrypt the client signature information sent by the client.
  • the token assigning unit upon assigning the token for the client, is specifically configured to:
  • a token key to encrypt data containing the connection key and a random parameter or encrypt data containing the toke connection key and the random parameter to obtain the token assigned for the client, the token key being preset in the security proxy device or dynamically generated by the security proxy device.
  • the token assigning unit upon sending the token, is configured to further send data obtained by using the connection key to encrypt the connection serial number, the connection serial number being generated by the security proxy device;
  • decrypt upon decrypting the request, decrypt to obtain the connection serial number, further verify whether the connection serial number is correct, and forward the request obtained after decryption to the server only when the connection serial number is correct;
  • the response processing unit upon encrypting the response, is configured to further encrypt the connection serial number, and send the encrypted connection serial number to the client.
  • the request processing unit is further configured to: if it is validated that the token sent together with the request is not the token assigned for the client, refuse to process the request.
  • the present invention further provides a secure communication apparatus arranged at a client, the apparatus comprising:
  • a key agreement unit for using a key exchange mechanism to perform connection key agreement with the security proxy device
  • a token obtaining unit for obtaining a token assigned by the security proxy device to the client after identity authentication for the client succeeds
  • a request sending unit for using the connection key or token connection key to encrypt the request sent to the server, and sending the encrypted request together with the token to the security proxy device;
  • a response obtaining unit for obtaining a response forwarded from the security proxy device, and using the connection key or token connection key to decrypt the response;
  • token connection key is assigned by the security proxy device to the client and then encrypted using the connection key and then sent to the client.
  • the key agreement unit is specifically configured to:
  • a key agreement protection key to encrypt data containing a Client-ID, and send the encrypted data to the security proxy device, wherein the key agreement protection key is configured in advance in the client and the security proxy device;
  • server validation key to decrypt data sent by the security proxy device and containing a security proxy device ID, the server validation key being generated by using the Client-ID;
  • the data containing a security proxy device ID comprises:
  • a security proxy device certificate and a signature obtained by signing the security proxy device ID and the Client-ID by using a root certificate private key of the security proxy device.
  • the apparatus further comprise: an identity providing unit configured to send at least one of the Client-ID, client environment information and client signature information to the security proxy device so that the security proxy device performs identity authentication for the client.
  • the identity providing unit upon sending the client environment information to the security proxy device, is specifically configured to:
  • the connection key uses the connection key to encrypt the client environment information, and send the encrypted client environment information to the security proxy device;
  • the environment information comprises at least one of a Client Device ID, a Client Application Signature and a Client Environment Parameter.
  • the identity providing unit upon sending the client signature information to the security proxy device, is specifically configured to:
  • Client-ID and the security proxy device ID use the Client-ID and the security proxy device ID to generate the client validation key, use the client validation key to encrypt the client signature information, and send the encrypted client signature information to the security proxy device.
  • the token obtaining unit upon obtaining the token, is configured to further obtain a connection serial number encrypted by using the connection key, and use the connection key to decrypt the obtained connection serial number;
  • the request sending unit upon encrypting the request, is configured to further encrypt the connection serial number
  • the response obtaining unit is configured to further decrypt to obtain the connection serial number, validate whether the connection serial number is correct, and discard the response if the connection serial number is not correct.
  • the forwarding of a message between the client and the server is implemented via the security proxy device, a message between the client and the security proxy device is encrypted through an agreed connection key of the key exchange mechanism on the one hand, and on the other hand, control of access to the server is implemented through the token assigned by the security proxy device to the client. Secure communication between the client and the server is guaranteed through the above two aspects.
  • FIG. 1 is a structural diagram of a system which the present invention is based on
  • FIG. 2 is a flow chart of a method according to an embodiment of the present invention.
  • FIG. 3 is a block diagram of an apparatus arranged at a security proxy server according to an embodiment of the present invention.
  • FIG. 4 is a block diagram of an apparatus arranged at a client according to an embodiment of the present invention.
  • a security proxy device is between a client and a server
  • the security proxy device as an intermediate device, is responsible for communication security between the client and the server, and interaction data between the client and the server must be forwarded via the security proxy device.
  • network setting manners may employ the following network setting manners in advance but are not limited to the following network setting manners:
  • the first manner networking the security proxy device at an entrance position to the server so that the interaction data between the client and server must go through the security proxy device.
  • the second manner setting in a Domain Name System (DNS) that the domain pointing to the server is resolved to an IP address of the security proxy device such that data transmitted to the server will be transmitted to the security proxy device, and then setting to allow all data received by the security proxy device from the client to be transmitted to the server.
  • DNS Domain Name System
  • FIG. 2 is a flow chart of a secure communication method according to an embodiment of the present invention.
  • the following initial configurations will be performed in advance:
  • the security proxy device may obtain a certificate Proxy-Cert through cloud or an offline tool.
  • the following content is configured in the security proxy device:
  • packaging may be performed through cloud or an offline tool.
  • the following content may be embedded in the client in advance:
  • the client may register with the security proxy device in advance to obtain a client certificate Client-Cert. For example, when the client is used for the first time, it registers with the security proxy device to obtain the Client-Cert.
  • the flow as shown in FIG. 2 may begin to proceed.
  • the method may comprise the following steps:
  • a first Authenticated Key Exchange (AKE) processing is performed with an identifier AKE- 1 in the figure.
  • AKE- 1 the client uses the key agreement protection key C_AKE-Key to encrypt the data containing the Client-ID and then send it to the security proxy device.
  • An encryption algorithm is configured in advance in the client and the security proxy device. Diffe-Hellman key exchange method may be employed in the embodiment of the present invention.
  • the data obtained after encryption may be represented as follows:
  • E C _ AKE-Key (Client-ID, (g x mod p), H(g x mod p)), wherein x is a generated random number, and H(g x mod p) represents a Hash value obtained after performing Hash operation for the g x mod p.
  • a second Authenticated Key Exchange processing is performed with an identifier AKE- 2 in the figure.
  • the security proxy device decrypts the data sent by the client to obtain Client-ID, i.e., decrypts E C _ AKE-Key (Client-ID, (g x mod p), H(g x mod p)) to obtain the Client-ID.
  • E C _ AKE-Key (Client-ID, (g x mod p), H(g x mod p)) to obtain the Client-ID.
  • Authentication is performed for the
  • the authentication may be based on, but is not limited to a preset blacklist/whitelist. If the Client-ID is in the blacklist, it is confirmed that the client is illegal and it's access is prohibited. If the Client-ID is not in the blacklist, the client passes the authentication.
  • H(g x mod p)) may be further used to verify (g x mod p) to perform validation for data integrity.
  • the security proxy device uses the Client-ID to generate a server validation key C_AKE-Session-Key-2.
  • the manner for generating the server validation key may employ, but is not limited to a manner of calculating a Hash value, for example:
  • C_AKE-Session-Key-2 Hash(2, Client-ID, g y , g x , g xy ), wherein y is a random number generated by the security proxy device. It is appreciated that “2” in the above equation aims to identify message order, and may also employ other values.
  • the security proxy device uses C_AKE-Session-Key-2 to encrypt the data containing the Proxy-ID.
  • a root certificate private key of the security proxy device may be first used to sign the data containing the Proxy-ID and Client-ID, then the C_AKE-Session-Key-2 be used to encrypt the signature and an integer Proxy-Cert of the security proxy device.
  • the encrypted data may be represented as follows:
  • E C _ AKE-Session-Key-2 (Proxy-Cert, Sig Proxy (2, Proxy-ID, Client-ID, g y , g x )), wherein Sig Proxy represents using the root certificate private key of the security proxy device to sign, and Sig Proxy (2, Proxy-ID, Client-ID, g y , g x ) obtained from the signature may be decrypted at the client through the root certification public key of the security proxy device.
  • “2” in this equation aims to identify message order, and may also employ other values.
  • the security proxy device sends the encrypted data to the client.
  • E C _ AKE-Session-Key-2 Proxy-Cert, Sig Proxy (2, Proxy-ID, Client-ID, g y , g x )
  • g y mod p may be sent to the client.
  • step 203 a third Authenticated Key Exchange processing is performed with an identifier AKE- 3 in the figure.
  • AKE- 3 the client performs decryption and validation for the received data.
  • the Client-ID Upon decryption, the Client-ID is first used to generate the server validation key C_AKE-Session-Key-2 in the same manner as the manner employed by the security proxy device. Then, the C_AKE-Session-Key-2 is used to decrypt the received data to obtain the Proxy-Cert and Sig Proxy (2, Proxy-ID, Client-ID, g y , g x ).
  • the root certificate public key of the security proxy device is used to decrypt Sig Proxy (2, Proxy-ID, Client-ID, g y , g x ) to obtain the Proxy-ID, Client-ID, g y and g x . Then g y mod p is validated.
  • the Client-ID and Proxy-ID are used to generate a client validation key C_AKE-Session-Key-3 and a connection key C_AKE-Session-Key.
  • the manner of generating the client validation key and the connection key may employ, but is not limited to a manner of calculating a Hash value, for example:
  • C_AKE-Session-Key-3 Hash(3, Client-ID, Proxy-ID, g x , g y , g xy ).
  • “3” in the above equation aims to identify message order, and may also employ other values.
  • C_AKE-Session-Key Hash(0, Client-ID, Proxy-ID, g x , g y , g xy ), wherein “0” aims to identify message order, and may also employ other values.
  • the client uses the client validation key C_AKE-Session-Key-3 to encrypt the data containing the client certificate and the client application signature.
  • the encrypted data may be represented as follows:
  • E C _ AKE-Session-Key-3 (Proxy-Cert, Sig Client (3, Client-ID, Proxy-ID, g x , g y )), wherein Sig Client (3, Client-ID, Proxy-ID, g x , g y )) is the client application signature, and Sig Client means using the root certificate private key of the client to sign.
  • connection key C_AKE-Session-Key is used to encrypt client environment information, wherein the client environment information may comprise one of Client Device ID, Client App Sig and Client Environment Parameter or any combination thereof, and may be obtained through a built-in program in the client or a program assigned by the security proxy device.
  • the Client Environment Information may employ configuration file time, Ex-factory ID and the like.
  • Data obtained by encrypting the client environment information by using the connection key C_AKE-Session-Key may be represented as follows:
  • E C _ AKE-Session-Key-3 Proxy-Cert, Sign Client (3, Client-ID, Proxy-ID, g x , g y )
  • E C _ AKE-Session-Key Client Device ID, Client App Sig, Client Environment Information
  • step 204 allocation of the token to the client is mainly completed.
  • the security proxy device may, prior to allocating the token, first decrypt the received data, and verify the Client App Sig and the Client Environment Information.
  • the security proxy device Upon decryption, the security proxy device first generates the client validation key C_AKE-Session-Key-3 and the connection key C_AKE-Session-Key in the same manner as the generating manner at the client as stated in AKE-3. Then C_AKE-Session-Key-3 is used to decrypt the received E C _ AKE-Session-Key-3 (Proxy-Cert, Sig Client (3, Client-ID, Proxy-ID, g x , g y )) and obtain Sig Client (3, Client-ID, Proxy-ID, g x , g y ), and then perform validation for it; in addition, the C_AKE-Session-Key is used to decrypt the received E C _ AKE-Session-Key (Client Device ID, Client App Sig, Client Environment Information) to obtain Client Device ID, Client App Sig and Client Environment Information, and then perform validation for them.
  • Validation to the client information here can further improve anti-attach capability and effectively prevent a disguiser's attack. It needs to be appreciated that since the security proxy device can obtain the Client Environment Parameter while the client registers with the security proxy device in advance, the validation to the Client Environment Parameter here is based on the Client Environment Parameter obtained during the registration.
  • the security proxy device assigns an Access Token for the client, and sends said Access Token to the client.
  • the token may be generated by using the connection key C_AKE-Session-Key and a random parameter, wherein the random parameter may employ for example timestamp.
  • a manner of generating the token is exemplified as follows:
  • E Access-Token-Enc-Key (C_AKE-Session-Key, Client-ID, Session-ID, Time Stamp), that is, the token is obtained by using the token key Access-Token-Enc-Key to encrypt C_AKE-Session-Key, Client-ID, Session-ID (generated by the security proxy device) and Time Stamp, wherein Acess-Token-Enc-Key is only retained by the security proxy device itself and not open to the external.
  • the Session-ID is optional content.
  • E C _ AKE-Session-Key (Session-ID, Time Stamp) needs to be additionally sent while the token is sent to the client, wherein Time Stamp here is consistent with Time Stamp in the token.
  • the token may further be generated in another manner, namely, generating a token connection key C_Token-Session-Key and then generating the token in the following way:
  • E Access-Token-Enc-Key (C_Token-Session-Key, Client-ID, Session-ID, Time Stamp), that is, the token is obtained by using the token key Access-Token-Enc-Key to encrypt C_Token-Session-Key, Client-ID, Session-ID and Time Stamp, wherein Access-Token-Enc-Key is only retained by the security proxy device itself and not open to the external. In this case, the following content needs to be sent additionally while the token is sent to the client:
  • C_AKE-Session-Key (C_Token-Session-Key, Session-ID, Time Stamp), namely a value obtained by using C_AKE_Session-Key to encrypt C_Token-Session-Key, Session-ID and Time Stamp.
  • Session-ID is optional content
  • Time Stamp here is consistent with Time Stamp in the token.
  • the above steps 201 - 204 mainly involve the procedure of key agreement and toke assignment. Then the client may begin to communicate with the server by using the agreed key and assigned token.
  • step 205 the client uses the connection key C_AKE-Session-Key to encrypt the request sent to the server, and sends the encrypted requests together with the Access Token to the server.
  • the encrypted request may be represented as: E C _ AKE-Session-Key (Req, H(Req)). H(Req) is an optional item.
  • the security proxy device transfers a token connection key to the client
  • the token connection key C_Token-Session-Key may be used to encrypt the request in this step.
  • the encrypted request may be represented as E C _ Token-Session-Key (Req, H(Req)), wherein H(Req) is an optional item.
  • Session-ID may be encrypted while the request is encrypted.
  • the security proxy device obtains the above encrypted request and Access Token, uses C_AKE-Session-Key to decrypt the request and verifies the Access Token, that is, verifies whether to assign a token to the client. If the validation succeeds, the decrypted request (represented as Req in the figure) is forwarded to the server. If the validation fails, processing of the received request is refused.
  • the decrypted request may be further checked to see whether it includes an attack code.
  • the check manner may be a manner based on the whitelist or blacklist.
  • the manner based on the whitelist is mainly based on some grammatical formats or preset rules.
  • the manner based on the blacklist is mainly based on some attack code features. If the request is checked as containing an attack code, the forwarding of said request may be refused.
  • the toke connection key C_Token-Session-Key may be used to decrypt the request.
  • the step may further comprise processing about integrity validation, namely, validating whether the Session-ID is not used and is in a reasonable range.
  • C_AKE-Session-Key or C_Token-Session-Key may also be used for the encryption processing of a response in subsequent step 208 .
  • C_AKE-Session-Key is only taken as an example.
  • step 207 the security proxy device obtains a response R returned by the server.
  • the security proxy device uses the connection key C_AKE-Session-Key to encrypt the response R returned by the server, and forwards the encrypted response to the client.
  • the encrypted response may be represented as E C _ AKE-Session-Key (R, H(R)), wherein H(R) is an optional item.
  • the encrypted content may further comprise Session_ID so that the client uses the Session_ID to perform integrity validation.
  • the client may directly obtain an access right through the token.
  • the client may, after performing Session-ID+1, repeatedly execute the procedure as shown in step 205 -step 208 .
  • the client needs to agree about the key and obtain the token again from step 201 .
  • FIG. 3 is a block diagram of an apparatus arranged at a security proxy server according to an embodiment of the present invention.
  • the apparatus may comprise: a key agreement unit 01 , an identity authenticating unit 02 , a token assigning unit 03 , a request processing unit 04 and a response processing unit 05 , wherein the above units have the following main functions:
  • the key agreement unit 01 is responsible for using a key exchange mechanism to perform connection key agreement with the client.
  • the identity authenticating unit 02 is responsible for performing identity authentication for the client.
  • the token assigning unit 03 is responsible for assigning a token for the client after the identity authentication for the client succeeds.
  • the request processing unit 04 is responsible for, after receiving the request sent by the client to the server, validating whether the token sent together with the request is a token assigned for the client; if the validation succeeds, forwarding to the server a request obtained by using the connection key or token connection key to decrypt the request. If it is validated that the token sent together with the request is not the token assigned for the client, refusing to process the request.
  • the token connection key is assigned by the token assigning unit 03 to the client and then encrypted using the connection key and then sent to the client.
  • the response processing unit 05 is responsible for, after receiving a response returned by the server, using the connection key or token connection key to encrypt the response, and forwarding the encrypted response to the client.
  • the identity authentication for the client by the above identity authenticating unit 02 may be completed during the connection key agreement.
  • the token assigning unit 03 upon completion of the connection key agreement, assigns a token for the client.
  • the key agreement unit 01 may perform the following operations:
  • Operation 1 using the key agreement protection key to decrypt the data sent by the client and containing a Client-ID, wherein the key agreement protection key is configured in advance in the client and the security proxy device. For example, decrypting E C _ AKE-Key (Client-ID, (g x mod p), H(g x mod p)) sent by the client to obtain the Client-ID.
  • the H(g x mod p) may be further used to perform validation for (g x mod p) in order to verify data integrity.
  • Operation 2 is performed after the validation succeeds.
  • Operation 3 using the server validation key to encrypt data containing a security proxy device ID, sending the encrypted data to the client so that the client uses the Client-ID and the security proxy device ID to generate the connection key.
  • the server validation key is used to encrypt data containing the security proxy device ID
  • a root certificate private key of the security proxy device may be used to sign the security proxy device ID and the Client-ID; then the server validation key may be used to encrypt the signature and the certificate of the security proxy device.
  • E C _ AKE-Session-Key-2 (Proxy-Cert, Sig Proxy (2, Proxy-ID, Client-ID, g y , g x )) may be used, wherein Sig Proxy represents using the root certificate private key of the security proxy device to sign, and Sig Proxy (2, Proxy-ID, Client-ID, g y , g x ) obtained from the signature may be decrypted at the client through a root certification public key of the security proxy device.
  • step 202 in FIG. 2 corresponds to step 202 in FIG. 2 .
  • Operation 4 using the client-ID and the security proxy device ID to generate a connection key.
  • the above operation corresponds to step 204 in FIG. 2 .
  • the identity authenticating unit 02 may perform identity authentication for the client in the following manners or any combination of the following manners, but not limited to the following manners:
  • the first manner authenticating the Client-ID after obtaining the Client-ID.
  • the identity authenticating unit 02 may verify the Client-ID after the key agreement unit 01 performs the above operation 1 and obtains the Client-ID.
  • the authentication may, based on a whitelist or blacklist, judge whether the Client-ID is in a preset blacklist. If no, the client passes the identity authentication; if yes, the client fails to pass the validation. Alternatively, judgment is performed as to whether the Client-ID is in a preset whitelist: if yes, the client passes the identity authentication; if no, the client fails to pass the validation.
  • the client may use the connection key to encrypt the Client Environment Information and then send it to the security proxy device.
  • the identity authenticating unit 02 may, after the operation 4 generates the connection key, use the connection key to decrypt the received Client Environment Information, and then verify the Client Environment Information.
  • the Client Environment Information comprises at least one of a client device ID, a client application signature and a client environment parameter.
  • validation is especially performed for the client environment parameter. It needs to be appreciated that since the security proxy device can obtain the Client Environment Parameter while the client registers with the security proxy device in advance, the validation to the Client Environment Parameter here is based on the Client Environment Parameter obtained during the registration.
  • the third manner validating client application signature information after obtaining the client application signature information.
  • the client may generates a client validation key, and use the client validation key to encrypt the client application signature and then send it to the security proxy device.
  • the security proxy device uses the Client-ID and the security proxy device ID to generate the client validation key in the same manner as the client, then uses the client validation key to decrypt the client application signature, and then verifies the client application signature.
  • the above token assigning unit 03 upon assigning a token to the client, may use a token key to encrypt data containing the connection key and a random parameter or encrypt data containing the toke connection key and the random parameter to obtain the token assigned for the client.
  • the token key is preset in the security proxy device or dynamically generated by the security proxy device.
  • E Access-Token-Enc-Key C_AKE-Session-Key, Client-ID, Session-ID, Time Stamp
  • the token is obtained by using the token key Access-Token-Enc-Key to encrypt C_AKE-Session-Key, Client-ID, Session-ID (connection serial number) and Time Stamp, wherein Acess-Token-Enc-Key is only retained by the security proxy device itself and not open to the external, and wherein the Session-ID is optional content.
  • the token may further be generated in another manner, namely, generating a token connection key C_Token-Session-Key and then generating the token in the following way:
  • E Access-Token-Enc-Key (C_Token-Session-Key, Client-ID, Session-ID, Time Stamp), that is, the token is obtained by using the token key Access-Token-Enc-Key to encrypt C_Token-Session-Key, Client-ID, Session-ID and Time Stamp, wherein Access-Token-Enc-Key is only retained by the security proxy device itself and not open to the external.
  • the token assigning unit 03 upon sending a token, further sends data obtained by using the connection key to encrypt the connection serial number.
  • the request processing unit 04 decrypts to obtain the connection serial number, further verifies whether the connection serial number is correct, and forwards the request obtained after decryption to the server only when the connection serial number is correct.
  • the response processing unit 05 upon encrypting the response, further encrypts the connection serial number, and sends the encrypted connection serial number to the client.
  • FIG. 4 is a block diagram of an apparatus arranged at a client according to an embodiment of the present invention.
  • the apparatus may comprises: a key agreement unit 11 , a token obtaining unit 12 , a request sending unit 13 , a response obtaining unit 14 as well as an identity providing unit 15 , wherein the above units have the following main functions:
  • the key agreement unit 11 is responsible for using a key exchange mechanism to perform connection key agreement with the security proxy device.
  • the token obtaining unit 12 is responsible for obtaining a token assigned by the security proxy device to the client after identity authentication for the client succeeds.
  • the request sending unit 13 is responsible for using the connection key or token connection key to encrypt the request sent to the server, and sending the encrypted request together with the token to the security proxy device.
  • the response obtaining unit 14 is responsible for obtaining a response forwarded from the security proxy device, and using the connection key or token connection key to decrypt the response.
  • token connection key is assigned by the security proxy device to the client and then encrypted using the connection key and then sent to the client.
  • the key agreement unit 11 may perform the following operations:
  • Operation 1 using the key agreement protection key to encrypt data containing a Client-ID, and sending the encrypted data to the security proxy device, wherein the key agreement protection key is configured in advance in the client and the security proxy device.
  • E C _ AKE-Key (Client-ID, (g x mod p), H(g x mod p)) is sent to the security proxy device.
  • the operation corresponds to step 101 in FIG. 2 .
  • Operation 2 using the server validation key to decrypt data containing a security proxy device ID, the server validation key being generated by using the Client-ID.
  • the Client-ID may be used to generate the server validation key C_AKE-Session-Key-2 in the same manner as the manner employed by the security proxy device.
  • the server validation key is used to decrypt the data sent by the security proxy device to obtain a security proxy device certificate Proxy-Cert, and a root certificate private key of the security proxy device is used to perform signature Sig Proxy (2, Proxy-ID, Client-ID, g y ,g x ) for the security proxy device identity Proxy-ID and the Client-ID.
  • a root certificate public key of the security proxy device is used to decrypt Sig Proxy (2, Proxy-ID, Client-ID, g y ,g x ) and obtain the security proxy device identity Proxy-ID.
  • Operation 3 use the Client-ID and the security proxy device ID obtained from decryption to generate a connection key.
  • the identity providing unit 15 may send at least one of Client-ID, client environment information and client signature information to the security proxy device so that the security proxy device performs identity authentication for the client.
  • identity providing unit 15 may provide the Client-ID to the security proxy device through the above operation 1.
  • the identity providing unit 15 upon sending the client environment information to the security proxy device, may use the connection key to encrypt the client environment information, and send the encrypted client environment information to the security proxy device; the environment information comprises at least one of Client Device ID, Client Application Signature and Client Environment Parameter.
  • the connection key C_AKE-Session-Key to encrypt the client environment information may be represented as follows:
  • the identity providing unit 15 upon sending the client signature information to the security proxy device, may use the Client-ID and the security proxy device ID to generate the client validation key, use the client validation key to encrypt the client signature information, and send the encrypted client signature information to the security proxy device.
  • Using the client validation key to encrypt the client signature information may be represented as: E C _ AKE-Session-Key-3 (Proxy-Cert, Sig Client (3, Client-ID, Proxy-ID, g x , g y )), wherein Sig Client (3, Client-ID, Proxy-ID, g x , g y )) is the client application signature, and Sig Client means using the root certificate private key of the client to sign.
  • the token obtaining unit 12 upon obtaining a token, further obtains a connection serial number encrypted by using the connection key, and uses the connection key to decrypt the obtained connection serial number.
  • the request sending unit 13 Upon encrypting the request, the request sending unit 13 further encrypts the connection serial number.
  • the response obtaining unit 14 upon decrypting the received response, further decrypts to obtain the connection serial number, validates whether the connection serial number is correct, and discards the response if the connection serial number is not correct.
  • the present invention does not limit encryption and decryption algorithms so long as it is ensured that the client and the security proxy device use consistent encryption and decryption algorithms.
  • a message between the client and the security proxy device is encrypted through an agreed connection key to prevent data leakage, and on the other hand, control of access to the server is implemented through the token assigned by the security proxy device to the client, to prevent Man-in-the-Middle' illegal attack to the server and illegal client's access to the server. Secure communication between the client and the server is guaranteed through this mechanism.
  • the devices and methods disclosed can be implemented through other ways.
  • the embodiments for the devices are only exemplary, e.g., the division of the units is merely logical one, and, in reality, they can be divided in other ways.
  • the units described as separate parts may be or may not be physically separated, the parts shown as units may be or may not be physical units, i.e., they can be located in one place, or distributed in a plurality of network units. One can select some or all the units to achieve the purpose of the embodiment according to the actual needs.
  • functional units can be integrated in one processing unit, or they can be separate physical presences; or two or more units can be integrated in one unit.
  • the integrated unit described above can be realized as hardware, or they can be realized with hardware and software functional unit.
  • the aforementioned integrated unit in the form of software function units may be stored in a computer readable storage medium.
  • the aforementioned software function units are stored in a storage medium, including several instructions to instruct a computer device (a personal computer, server, or network equipment, etc.) or processor to perform some steps of the method described in the various embodiments of the present invention.
  • the aforementioned storage medium includes various media that may store program codes, such as U disk, removable hard disk, read-only memory (ROM), a random access memory (RAM), magnetic disk, or an optical disk.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)
US15/146,814 2015-05-14 2016-05-04 Secure communication method and apparatus Active 2036-10-14 US10142297B2 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
CN201510245307.2 2015-05-14
CN201510245307.2A CN105471833B (zh) 2015-05-14 2015-05-14 一种安全通讯方法和装置
CN201510245307 2015-05-14

Publications (2)

Publication Number Publication Date
US20160337321A1 US20160337321A1 (en) 2016-11-17
US10142297B2 true US10142297B2 (en) 2018-11-27

Family

ID=55609105

Family Applications (1)

Application Number Title Priority Date Filing Date
US15/146,814 Active 2036-10-14 US10142297B2 (en) 2015-05-14 2016-05-04 Secure communication method and apparatus

Country Status (3)

Country Link
US (1) US10142297B2 (zh)
CN (1) CN105471833B (zh)
WO (1) WO2016180204A1 (zh)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190273732A1 (en) * 2016-09-16 2019-09-05 Oracle International Corporation Custom authenticator for enterprise web application
US11134074B1 (en) * 2020-05-22 2021-09-28 Fmr Llc Systems and methods for secure HTTP connections using a distributed certificate validation model
US11202180B2 (en) * 2017-03-17 2021-12-14 Icrypto, Inc. System and method for dual notifications and responses

Families Citing this family (31)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105471833B (zh) 2015-05-14 2019-04-16 瑞数信息技术(上海)有限公司 一种安全通讯方法和装置
CN105491001B (zh) * 2015-05-14 2017-02-22 瑞数信息技术(上海)有限公司 一种安全通讯方法和装置
US9767318B1 (en) 2015-08-28 2017-09-19 Frank Dropps Secure controller systems and associated methods thereof
US9882894B2 (en) * 2015-12-15 2018-01-30 Verizon Patent And Licensing Inc. Secure authentication service
US10277407B2 (en) * 2016-04-19 2019-04-30 Microsoft Technology Licensing, Llc Key-attestation-contingent certificate issuance
US10116634B2 (en) * 2016-06-28 2018-10-30 A10 Networks, Inc. Intercepting secure session upon receipt of untrusted certificate
CN107026730B (zh) * 2017-04-01 2021-01-05 北京深思数盾科技股份有限公司 数据处理方法、装置及系统
CN107357631A (zh) * 2017-07-17 2017-11-17 郑州云海信息技术有限公司 一种管理虚拟机密钥的方法和装置及计算机可读存储介质
BR112020000870A2 (pt) * 2017-07-21 2020-07-21 Huawei International Pte. Ltd. método de transmissão de dados, dispositivo e sistema relacionados ao mesmo
US11019073B2 (en) * 2017-07-23 2021-05-25 AtScale, Inc. Application-agnostic resource access control
CN107508819B (zh) * 2017-09-05 2020-06-05 广东思派康电子科技有限公司 加密方法和加密装置
CN107508673A (zh) * 2017-09-11 2017-12-22 金蝶软件(中国)有限公司 Erp与第三方组件之间密钥获取的方法及相关装置
CN107612926B (zh) * 2017-10-12 2020-09-29 成都知道创宇信息技术有限公司 一种基于客户端识别的一句话WebShell拦截方法
CN110740116B (zh) * 2018-07-20 2023-06-30 北京思源理想控股集团有限公司 一种多应用身份认证的系统及方法
US20200106612A1 (en) * 2018-09-28 2020-04-02 Yokogawa Electric Corporation System and method for providing cloud service
IL283346B2 (en) * 2018-11-26 2024-04-01 Forticode Ltd Mutual authentication of computer systems on an insecure network
CN110046192B (zh) * 2019-04-22 2021-08-20 广州荔支网络技术有限公司 请求信息的序号生成系统和方法
US11303588B1 (en) * 2019-09-05 2022-04-12 Meta Platforms, Inc. Automating a response to a message communicated to a business entity via an online messaging application
US10985921B1 (en) 2019-11-05 2021-04-20 Capital One Services, Llc Systems and methods for out-of-band authenticity verification of mobile applications
CN111131215B (zh) * 2019-12-18 2022-08-05 深圳市任子行科技开发有限公司 一种无感知审计部署方法及装置
CN111475824B (zh) * 2020-03-23 2023-05-05 深圳前海百递网络有限公司 数据访问方法、装置、设备和存储介质
CN111510460A (zh) * 2020-04-24 2020-08-07 武汉火神信息科技有限公司 集中管理主机并拦截转发指令的安全服务系统
US11979395B2 (en) * 2020-09-28 2024-05-07 Sap Se Application security through deceptive authentication
CN112383912B (zh) * 2020-11-02 2022-08-02 中国联合网络通信集团有限公司 开户方法、服务器、系统及存储介质
CN112689283B (zh) * 2020-12-15 2021-11-23 青海大学 一种密钥保护和协商方法、系统和存储介质
CN112688949B (zh) * 2020-12-25 2022-12-06 北京浪潮数据技术有限公司 一种访问方法、装置、设备及计算机可读存储介质
CN113055169B (zh) * 2021-03-29 2023-04-14 京东方科技集团股份有限公司 数据加密方法、装置、电子设备及存储介质
CN114553570B (zh) * 2022-02-25 2024-04-12 中国建设银行股份有限公司 生成令牌的方法、装置、电子设备及存储介质
CN115086053A (zh) * 2022-06-23 2022-09-20 支付宝(杭州)信息技术有限公司 用于识别伪装设备的方法和系统
CN116743461B (zh) * 2023-06-15 2023-12-22 上海银满仓数字科技有限公司 基于时间戳的商品数据加密方法和装置
CN117728958A (zh) * 2024-02-05 2024-03-19 浙江大华技术股份有限公司 一种通信方法、装置和系统

Citations (41)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5805803A (en) 1997-05-13 1998-09-08 Digital Equipment Corporation Secure web tunnel
US6327662B1 (en) 1998-09-30 2001-12-04 3Com Corporation Security through the use of tokens and automatically downloaded applets
US20020026578A1 (en) 2000-08-22 2002-02-28 International Business Machines Corporation Secure usage of digital certificates and related keys on a security token
US20040128393A1 (en) 2002-12-31 2004-07-01 International Business Machines Corporation Method and system for consolidated sign-off in a heterogeneous federated environment
US20040158708A1 (en) 2003-02-10 2004-08-12 International Business Machines Corporation Method for distributing and authenticating public keys using time ordered exchanges
US20050005133A1 (en) 2003-04-24 2005-01-06 Xia Sharon Hong Proxy server security token authorization
US20050154887A1 (en) 2004-01-12 2005-07-14 International Business Machines Corporation System and method for secure network state management and single sign-on
US6965939B2 (en) 2001-01-05 2005-11-15 International Business Machines Corporation Method and apparatus for processing requests in a network data processing system based on a trust association between servers
US20060004662A1 (en) * 2004-06-30 2006-01-05 International Business Machines Corporation Method and system for a PKI-based delegation process
US20060225132A1 (en) * 2000-01-24 2006-10-05 Microsoft Corporation System and Method of Proxy Authentication in a Secured Network
US20070107048A1 (en) 2005-10-11 2007-05-10 David Halls Systems and Methods for Facilitating Distributed Authentication
US20070226483A1 (en) 2006-03-24 2007-09-27 Dennis Cox System and method for storing and/or transmitting emulated network flows
CN101217367A (zh) 2007-01-04 2008-07-09 中国移动通信集团公司 引入鉴权客户端实现业务鉴权的系统及方法
CN101247391A (zh) 2007-12-28 2008-08-20 上海电力学院 Opc安全代理系统及其代理方法
US7421576B1 (en) * 2003-01-16 2008-09-02 The United States Of America As Represented By The United States Department Of Energy Interception and modification of network authentication packets with the purpose of allowing alternative authentication modes
CN101674304A (zh) 2009-10-15 2010-03-17 浙江师范大学 一种网络身份认证系统及方法
CN101741764A (zh) 2009-12-25 2010-06-16 金蝶软件(中国)有限公司 一种企业广域网文件传输的方法、系统
US20100281522A1 (en) 2007-12-27 2010-11-04 Nec Corporation Access right managing system, access right managing method, and access right managing program
US20110066681A1 (en) 2008-05-14 2011-03-17 Naoki Shiota Client device, control method thereof, program, server device, control method thereof, communication system, and control method thereof
CN102111410A (zh) 2011-01-13 2011-06-29 中国科学院软件研究所 一种基于代理的单点登录方法及系统
CN102208980A (zh) 2010-08-24 2011-10-05 济南聚易信息技术有限公司 一种通信方法及系统
US20120206317A1 (en) 2011-02-11 2012-08-16 Sony Network Entertainment International Llc Device affiliation process from second display
US8407776B2 (en) 2011-02-11 2013-03-26 Good Technology Corporation Method, apparatus and system for provisioning a push notification session
CN103095704A (zh) 2013-01-15 2013-05-08 杭州华三通信技术有限公司 一种可信介质的在线验证方法及装置
US8447983B1 (en) 2011-02-01 2013-05-21 Target Brands, Inc. Token exchange
CN103179115A (zh) 2013-03-18 2013-06-26 中国科学院信息工程研究所 一种面向云电视终端跨云应用的云服务访问控制方法
CN103780396A (zh) 2014-01-27 2014-05-07 华为软件技术有限公司 令牌获取方法及装置
CN104023085A (zh) 2014-06-25 2014-09-03 武汉大学 一种基于增量同步的安全云存储系统
CN104038490A (zh) 2014-06-09 2014-09-10 可牛网络技术(北京)有限公司 一种通信安全校验方法及其装置
CN104113528A (zh) 2014-06-23 2014-10-22 汉柏科技有限公司 一种基于前置网关的防止敏感信息泄露的方法和系统
CN104350501A (zh) 2012-05-25 2015-02-11 佳能株式会社 授权服务器和客户端设备、服务器协作系统和令牌管理方法
US20150121501A1 (en) 2013-10-31 2015-04-30 Cellco Partnership D/B/A Verizon Wireless Connected authentication device using mobile single sign on credentials
US20150319174A1 (en) 2014-04-30 2015-11-05 Citrix Systems, Inc. Enterprise System Authentication and Authorization via Gateway
US20160036833A1 (en) 2014-07-29 2016-02-04 Aruba Networks, Inc. Client Reputation Driven Role-Based Access Control
CN105471833A (zh) 2015-05-14 2016-04-06 瑞数信息技术(上海)有限公司 一种安全通讯方法和装置
CN105491001A (zh) 2015-05-14 2016-04-13 瑞数信息技术(上海)有限公司 一种安全通讯方法和装置
US20160142409A1 (en) 2014-11-18 2016-05-19 Microsoft Technology Licensing, Llc Optimized token-based proxy authentication
US20160234298A1 (en) 2015-02-10 2016-08-11 DeNA Co., Ltd. Method and system for load balancing
US20160261581A1 (en) 2013-10-30 2016-09-08 Hewlett-Packard Development Company, L.P. User authentication
US20170230696A1 (en) 2010-07-27 2017-08-10 Sony Corporation Device registration process from a second display
US20170244713A1 (en) 2015-12-09 2017-08-24 Xasp Security, Llc Web server transmission obfuscation

Patent Citations (44)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5805803A (en) 1997-05-13 1998-09-08 Digital Equipment Corporation Secure web tunnel
US6327662B1 (en) 1998-09-30 2001-12-04 3Com Corporation Security through the use of tokens and automatically downloaded applets
US20060225132A1 (en) * 2000-01-24 2006-10-05 Microsoft Corporation System and Method of Proxy Authentication in a Secured Network
US20020026578A1 (en) 2000-08-22 2002-02-28 International Business Machines Corporation Secure usage of digital certificates and related keys on a security token
US6965939B2 (en) 2001-01-05 2005-11-15 International Business Machines Corporation Method and apparatus for processing requests in a network data processing system based on a trust association between servers
CN1732465A (zh) 2002-12-31 2006-02-08 国际商业机器公司 在异构联合环境中统一注销的方法和系统
US20040128393A1 (en) 2002-12-31 2004-07-01 International Business Machines Corporation Method and system for consolidated sign-off in a heterogeneous federated environment
US7421576B1 (en) * 2003-01-16 2008-09-02 The United States Of America As Represented By The United States Department Of Energy Interception and modification of network authentication packets with the purpose of allowing alternative authentication modes
US20040158708A1 (en) 2003-02-10 2004-08-12 International Business Machines Corporation Method for distributing and authenticating public keys using time ordered exchanges
US20050005133A1 (en) 2003-04-24 2005-01-06 Xia Sharon Hong Proxy server security token authorization
US20050154887A1 (en) 2004-01-12 2005-07-14 International Business Machines Corporation System and method for secure network state management and single sign-on
US20060004662A1 (en) * 2004-06-30 2006-01-05 International Business Machines Corporation Method and system for a PKI-based delegation process
US20070107048A1 (en) 2005-10-11 2007-05-10 David Halls Systems and Methods for Facilitating Distributed Authentication
US20070226483A1 (en) 2006-03-24 2007-09-27 Dennis Cox System and method for storing and/or transmitting emulated network flows
CN101217367A (zh) 2007-01-04 2008-07-09 中国移动通信集团公司 引入鉴权客户端实现业务鉴权的系统及方法
US20100281522A1 (en) 2007-12-27 2010-11-04 Nec Corporation Access right managing system, access right managing method, and access right managing program
CN101247391A (zh) 2007-12-28 2008-08-20 上海电力学院 Opc安全代理系统及其代理方法
US20110066681A1 (en) 2008-05-14 2011-03-17 Naoki Shiota Client device, control method thereof, program, server device, control method thereof, communication system, and control method thereof
CN101674304A (zh) 2009-10-15 2010-03-17 浙江师范大学 一种网络身份认证系统及方法
CN101741764A (zh) 2009-12-25 2010-06-16 金蝶软件(中国)有限公司 一种企业广域网文件传输的方法、系统
US20170230696A1 (en) 2010-07-27 2017-08-10 Sony Corporation Device registration process from a second display
CN102208980A (zh) 2010-08-24 2011-10-05 济南聚易信息技术有限公司 一种通信方法及系统
CN102111410A (zh) 2011-01-13 2011-06-29 中国科学院软件研究所 一种基于代理的单点登录方法及系统
US8447983B1 (en) 2011-02-01 2013-05-21 Target Brands, Inc. Token exchange
US20120206317A1 (en) 2011-02-11 2012-08-16 Sony Network Entertainment International Llc Device affiliation process from second display
US8407776B2 (en) 2011-02-11 2013-03-26 Good Technology Corporation Method, apparatus and system for provisioning a push notification session
CN104350501A (zh) 2012-05-25 2015-02-11 佳能株式会社 授权服务器和客户端设备、服务器协作系统和令牌管理方法
CN103095704A (zh) 2013-01-15 2013-05-08 杭州华三通信技术有限公司 一种可信介质的在线验证方法及装置
CN103179115A (zh) 2013-03-18 2013-06-26 中国科学院信息工程研究所 一种面向云电视终端跨云应用的云服务访问控制方法
US20160261581A1 (en) 2013-10-30 2016-09-08 Hewlett-Packard Development Company, L.P. User authentication
US20150121501A1 (en) 2013-10-31 2015-04-30 Cellco Partnership D/B/A Verizon Wireless Connected authentication device using mobile single sign on credentials
CN103780396A (zh) 2014-01-27 2014-05-07 华为软件技术有限公司 令牌获取方法及装置
US20150319174A1 (en) 2014-04-30 2015-11-05 Citrix Systems, Inc. Enterprise System Authentication and Authorization via Gateway
CN104038490A (zh) 2014-06-09 2014-09-10 可牛网络技术(北京)有限公司 一种通信安全校验方法及其装置
CN104113528A (zh) 2014-06-23 2014-10-22 汉柏科技有限公司 一种基于前置网关的防止敏感信息泄露的方法和系统
CN104023085A (zh) 2014-06-25 2014-09-03 武汉大学 一种基于增量同步的安全云存储系统
US20160036833A1 (en) 2014-07-29 2016-02-04 Aruba Networks, Inc. Client Reputation Driven Role-Based Access Control
US20160142409A1 (en) 2014-11-18 2016-05-19 Microsoft Technology Licensing, Llc Optimized token-based proxy authentication
US20160234298A1 (en) 2015-02-10 2016-08-11 DeNA Co., Ltd. Method and system for load balancing
CN105471833A (zh) 2015-05-14 2016-04-06 瑞数信息技术(上海)有限公司 一种安全通讯方法和装置
CN105491001A (zh) 2015-05-14 2016-04-13 瑞数信息技术(上海)有限公司 一种安全通讯方法和装置
US20160337321A1 (en) 2015-05-14 2016-11-17 River Security Inc. Secure communication method and apparatus
US20170012978A1 (en) 2015-05-14 2017-01-12 River Security Inc. Secure communication method and apparatus
US20170244713A1 (en) 2015-12-09 2017-08-24 Xasp Security, Llc Web server transmission obfuscation

Non-Patent Citations (13)

* Cited by examiner, † Cited by third party
Title
From Chinese Application No. 201510245307.2, Office Action dated Jan. 24, 2018 with English translation provided by Global Dossier.
From Chinese Application No. 201510245307.2, Search Report dated Jan. 9, 2018.
From CN201510243743.6, Office Action and Search Report dated Aug. 19, 2016 with English translation from Global Dossier.
From CN201510243743.6, Office Action dated Dec. 6, 2016 with English translation from Global Dossier.
From CN201510243743.6, Office Action dated Oct. 10, 2016 with English translation from Global Dossier.
From CN201510243743.6, Supplementary Search dated Jan. 3, 2017 with English translation from Global Dossier.
From PCT/CN2016/079838, International Preliminary Report on Patentability (IPRP; CH 1) dated Jul. 11, 2016 with English translation from WIPO.
From PCT/CN2016/079838, International Search Report dated Jul. 11, 2016 with English translation from WIPO.
From PCT/CN2016/079838, Written Opinion dated Jul. 11, 2016 with English translation from WIPO.
From PCT/CN2016/079856, International Preliminary Report on Patentability (IPRP; CH 1) dated Nov. 14, 2017 with English translation from WIPO.
From PCT/CN2016/079856, International Search Report (ISR) dated Jul. 11, 2016 with English translation from WIPO.
From PCT/CN2016/079856, Written Opinion (WO) dated Jul. 11, 2016 with English translation from WIPO.
From U.S. Appl. No. 15/147,780 (now U.S 2017-0012978 A1), Office Action dated Mar. 26, 2018.

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190273732A1 (en) * 2016-09-16 2019-09-05 Oracle International Corporation Custom authenticator for enterprise web application
US10911426B2 (en) * 2016-09-16 2021-02-02 Oracle International Corporation Custom authenticator for enterprise web application
US11202180B2 (en) * 2017-03-17 2021-12-14 Icrypto, Inc. System and method for dual notifications and responses
US11134074B1 (en) * 2020-05-22 2021-09-28 Fmr Llc Systems and methods for secure HTTP connections using a distributed certificate validation model

Also Published As

Publication number Publication date
WO2016180204A1 (zh) 2016-11-17
US20160337321A1 (en) 2016-11-17
CN105471833B (zh) 2019-04-16
CN105471833A (zh) 2016-04-06

Similar Documents

Publication Publication Date Title
US10142297B2 (en) Secure communication method and apparatus
US11757662B2 (en) Confidential authentication and provisioning
CN114553568B (zh) 一种基于零信任单包认证与授权的资源访问控制方法
US9219607B2 (en) Provisioning sensitive data into third party
CN111512608B (zh) 基于可信执行环境的认证协议
JP6896940B2 (ja) 第1のアプリケーションと第2のアプリケーションとの間の対称型相互認証方法
Kaur et al. A secure two-factor authentication framework in cloud computing
Echeverría et al. Establishing trusted identities in disconnected edge environments
CN108809907B (zh) 一种证书请求消息发送方法、接收方法和装置
CN112351037B (zh) 用于安全通信的信息处理方法及装置
KR101531662B1 (ko) 사용자 단말과 서버간 상호 인증 방법 및 시스템
US20140237627A1 (en) Protecting data in a mobile environment
CN114513339A (zh) 一种安全认证方法、系统及装置
JP2016522637A (ja) 共有秘密を含意するセキュア化されたデータチャネル認証
CN110138558B (zh) 会话密钥的传输方法、设备及计算机可读存储介质
CN113645115B (zh) 虚拟专用网络接入方法和系统
US8769280B2 (en) Authentication apparatus and method for non-real-time IPTV system
CN110225011B (zh) 用户节点的认证方法、设备及计算机可读存储介质
RU2771928C2 (ru) Безопасный обмен данными, обеспечивающий прямую секретность
KR20110075088A (ko) 환경속성 정보를 이용한 데이터 접근 제어시스템 및 그 방법
Toapanta et al. Security Algorithms and Protocols to Mitigate Data Risks in the Cloud in a Distributed Environment
CN117728958A (zh) 一种通信方法、装置和系统
Nagasuresh et al. Defense against Illegal Use of Single Sign on Mechanism for Distributed Network Services

Legal Events

Date Code Title Description
AS Assignment

Owner name: RIVER SECURITY INC., CHINA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:LIN, YUMIN;XIAO, HONGYONG;ZHENG, LIN;AND OTHERS;SIGNING DATES FROM 20160421 TO 20160426;REEL/FRAME:039058/0939

STCF Information on status: patent grant

Free format text: PATENTED CASE

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YR, SMALL ENTITY (ORIGINAL EVENT CODE: M2551); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

Year of fee payment: 4